Programmatically determine user who last modified file on Windows?

Question

I've been tasked with writing a simple command line utility in C# that will monitor a directory on a server that several users will be accessing to copy/cut/paste/view data. I used FileSystemWatcher to do this but it's lacking a couple features.

Is it possible to determine the user or at least the computer name from where the file is being accessed/modified?

(Note: This doesn't have to be with FileSystemWatcher, I'm looking for ANY way to do this.)

Answer 1

I don't think you'll be able to monitor this from C# directly. Not without the help of the host operating system anyway. Windows and NTFS allow you to audit a particular directory and log the accesses in the Security event log for the host machine (so the server hosting the share would have to audit, not the client).

From KB310399 - How to audit user access of files, folders, and printers in Windows XP

Auditing User Access of Files, Folders, and Printers

The audit log appears in the Security log in Event Viewer. To enable this feature:

1. Click Start, click Control Panel, click Performance and Maintenance, and then click Administrative Tools.
2. Double-click Local Security Policy.
3. In the left pane, double-click Local Policies to expand it.
4. In the left pane, click Audit Policy to display the individual policy settings in the right pane.
5. Double-click Audit object access.
6. To audit successful access of specified files, folders and printers, select the Success check box.
7. To audit unsuccessful access to these objects, select the Failure check box.
8. To enable auditing of both, select both check boxes.
9. Click OK.

Specifying Files, Folders, and Printers to Audit

After you enable auditing, you can specify the files, folders, and printers that you want audited. To do so:

1. In Windows Explorer, locate the file or folder you want to audit. To audit a printer, locate it by clicking Start, and then clicking Printers and Faxes.
2. Right-click the file, folder, or printer that you want to audit, and then click Properties.
3. Click the Security tab, and then click Advanced.
4. Click the Auditing tab, and then click Add.
5. In the Enter the object name to select box, type the name of the user or group whose access you want to audit. You can browse the computer for names by clicking Advanced, and then clicking Find Now in the Select User or Group dialog box.
6. Click OK.
7. Select the Successful or Failed check boxes for the actions you want to audit, and then click OK.
8. Click OK, and then click OK.

The process is similar for the server operating systems and Windows Vista/Windows 7. If you go this route, you can have the C# program read the event log (See EventLog class) to look for the data you want.

Note: Starting with vista you must be and (UAC elevated if needed) administrator to read them from code.

Answer 2

Make sure to have WMI installed or enabled on your PC, also make sure to add a reference to System.Management and System.Management.Instrumentation as well. There is also a C# and VB WMI scripting application GUI that you can download to run and test WMI Queries against as well Google that one. Since I work for Dept of Defense there are certain things that I can get to from here in regards to the web other things are blocked out so please forgive me if I don't post certain web links.

Here is something to get you started

    ManagementScope mgtScope = new ManagementScope("\\\\ComputerName\\root\\cimv2");
    // you could also replace the username in the select with * to query all objects
    ObjectQuery objQuery = new ObjectQuery("SELECT username FROM Win32_ComputerSystem");

    ManagementObjectSearcher srcSearcher = new ManagementObjectSearcher(mgtScope, objQuery);

    ManagementObjectCollection colCollection = srcSearcher.Get();

    foreach (ManagementObject curObjCurObject in colCollection)
    {

        Console.WriteLine(curObjCurObject["username"].ToString());
    } 

  //if you want ot get the name of the machine that changed it once it gets into that  Event change the query to look like this. I just tested this locally and it does work 

    ManagementObjectSearcher mosQuery = new ManagementObjectSearcher("SELECT * FROM Win32_Process WHERE ProcessId = " + Process.GetCurrentProcess().Id.ToString());
    ManagementObjectCollection queryCollection1 = mosQuery.Get();
    foreach (ManagementObject manObject in queryCollection1)
    {
        Console.WriteLine("Name : " + manObject["name"].ToString());
        Console.WriteLine("Version : " + manObject["version"].ToString());
        Console.WriteLine("Manufacturer : " + manObject["Manufacturer"].ToString());
        Console.WriteLine("Computer Name : " + manObject["csname"].ToString());
        Console.WriteLine("Windows Directory : " + manObject["WindowsDirectory"].ToString());
    }